Differences between revisions 23 and 24
Revision 23 as of 2012-01-29 18:44:52
Size: 6029
Editor: LucianoBello
Comment: the DSA allocation and the fixed package version number
Revision 24 as of 2012-06-24 18:53:27
Size: 6291
Comment: add snippet to send DSA mail
Deletions are marked like this. Additions are marked like this.
Line 87: Line 87:
If you use bin/gen-dsa to generate your DSA template, the following snippet can be used to send the mail, providing you have a correctly configured local MTA:

{{{
(head -n 4 DSA-2498-1; tail -n +5 DSA-2498-1 |gpg --clearsign) | /usr/lib/sendmail -ti
}}}

Allocating a DSA Number

The procedure for allocating a unique DSA number is to add an entry to data/DSA/list in the secure-testing repository. Please do this before releasing a DSA to avoid accidental duplication. In this commit you may also want to include the version number of the fixed package. For example:

 [squeeze] - libxml2 2.7.8.dfsg-2+squeeze2
 [lenny] - libxml2 2.6.32.dfsg-5+lenny5

Releasing an update

There now follows a worked example of issuing DSA-2156-1 for "pcsc".

Run new-security-install:

skx@chopin:~$ 
skx@chopin:~$ cd /org/security-master.debian.org/queue/embargoed/

skx@chopin:/org/security-master.debian.org/queue/embargoed$ dak new-security-install pcsc*.changes
Non-dak user: skx
Sync stuff for upload to ftpmaster
Now put it into the security archive
Domination
Generating filelist for apt-ftparchive
Updating Packages and Sources files... This may take a while, be patient
...

The update is now released without further confirmation, so make sure your globbing is correct!

Important: you are better off running dak n-s-i under a screen session. If, for any reason, the command is terminated (disconnect, ^C, kill, etc.) archive breakage will occur.

To generate the advisory:

user@host:~/secure-testing$ bin/gen-DSA 1317-1 tinymux "buffer overflow" CVE-2007-1655 417539
[The advisory text is previewed]

user@host:~/secure-testing$ bin/gen-DSA --save 1317-1 tinymux "buffer overflow" CVE-2007-1655 417539
[The advisory text is now saved in ./DSA-1317-1 and the data/DSA/list entry added]

If the DSA id has been used before the script will refuse to continue. The script relies on the DEBFULLNAME and DEBEMAIL env vars that are used by devscripts. If you omit the DSA number the script will pick one for you.

FIXME: the fixed versions need to be passed via ${codename}_VERSION env vars (or by hand, later).

Note: the script is really just a hack, but it can help everyone use the same template until the final procedure is decided. Don't forget to svn up before using it.

There's also gen-DSA.py which is similar. It obtains information from the queues and hence some parts need to be run on security-master. Check its documentation for the gory details.

Troubleshooting

Stable and oldstable sharing the same upstream tarball (probably not valid with the new dak)

If you upload e.g. oldstable and then the stable update which shares the same tarball dak will unfortunately reject the package as the tarball is already there (building with -sa also doesn't help, dak won't find the tarball in this case). As a workaround until this is fixed in dak you can move the tarball to a different location after uploading the first update and then upload the second update.

Packages end up in security-master NEW queue

The built packages may end up in security-master's NEW queue instead of the (un)embargoed queues. This is the case when the package has a udeb.

You need to ask ftp-master to approve the packages from NEW. However, note that plainly approving them will install them into the security archive directly which is not what's normally desired. Ftp-master can add the override manually and then reprocess it through unchecked. Then it ends up in the embargoed queue like other packages.

Creating website pages (TODO: needs to be reviewed and updated)

Once the template has been created run parse-advisory.pl to create the approriate WML files: skx@klecker:~/webwml/english/security$ ./parse-advisory.pl ~/dsa-1317-1 .. ..

After that you may want to add the link to the mail on lists.debian.org by hand in the .data file. It makes sense to wait until it popped up in the archive as in this case the script finds it on its own.

Add the two new files to the CVS repository: cvs add 2007/dsa-1317.wml 2007/dsa-1317.data

See TODO for details on working with the Debian website and using WML generally. You will need commit access to issue advisories.

TODO: Mention dsa-www script.

Sending out the announcement to the debian-security-announce

Mail the advisory template file to debian-security-announce@lists.debian.org with an appropriate subject.

The subject should be "[DSA XXXX-1] xxx security update"; it must start with "[DSA", otherwise the message is silently dropped. There is a signature cache to prevent replay attacks, so you need to make a new signature in case of an error. The signer must be a Debian Developer in the "security" group.

You should ensure you contain the text "Mailing-List: debian-security-announce@lists.debian.org" in the body of the mail, in addition to getting the subject right. Otherwise the mail will be silently dropped.

The advisory should also be saved into /org/security.debian.org/advisories/DSA for future reference.

Note: The template must be "gpg --clearsign"d, or the mail to the list will not be accepted.

If you use bin/gen-dsa to generate your DSA template, the following snippet can be used to send the mail, providing you have a correctly configured local MTA:

(head -n 4 DSA-2498-1; tail -n +5 DSA-2498-1 |gpg --clearsign) | /usr/lib/sendmail -ti

Tips for the DSA body text

  • The description of the issues shouldn't be taken from MITRE, they have too much irrelevant detail (for our users) in their data. Better look at the patch and make sure you fully understand the issue and are able to write a text on your own, that's usually simpler and better
  • Try to give credit to the discoverer where it's known, e.g. "John Woo discovered that an integer overflow...". When they belong to an organisation or company, the company might need to be mentioned (e.g. "John Doe from IT corp".)

Rejecting

dak new-security-install does not support rejecting, you need an "echo NOTOK > COMMENTS/REJECT.package_version" in the queue directory. For example, to reject ffmpeg-debian 0.svn20080206-18+lenny2:

echo NOTOK > /org/security-master.debian.org/queue/embargoed/COMMENTS/REJECT.ffmpeg-debian_0.svn20080206-18+lenny2

If you reject packages, always make sure to notify wb-team@buildd.d.o, because the buildd's don't understand that something has been rejected on our side.